GM/T 0044.2-2016 Identity-based cryptographic algorithms SM9 - Part 2: Digital signature algorithm
1 Scope
This part of GM/T 0044‒2016 specifies an identity-based digital signature algorithm built upon pairings from elliptic curves, including the digital signature generation and verification algorithms together with their corresponding processes.
This part of GM/T 0044‒2016 is applicable for a receiver to use the signer’s identity to verify data integrity and the sender’s identity; and for a third party to verify authenticity of a signature and the signed message.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes the requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0004, SM3 Cryptographic Hash Algorithm GM/T 0005, Randomness Test Specification
GM/T 0044.1‒2016, SM9 Identity-based Cryptographic Algorithms — Part 1: General GM/Z 4001, Cryptographic Terminology
3 Terms and definitions
For the purposes of this document, GM/Z 4001 defined and the following terms and definitions apply.
3.1 message
bit string of finite length.
3.2 signed message
group of data elements that consists of a message and its digital signature.
3.3 signature key
private key of the signer; the secret data element used by the signer in the digital signature generating process.
3.4 signature master key
topmost key in the key hierarchy of an identity–based cryptographic system, composed of the signature master private key and the signature master public key. The signature master public key is publicly available, while the signature master private key is kept secret by the KGC. The KGC generates the user’s signature private key by using the signature master private key and the user’s identity. In an identity– based cryptographic system, the signature master private key is usually generated by the KGC using random number generators, while the signature master public key is generated with the signature master private key and the system parameters.
3.5 identity
information that can be used to confirm the identity of an entity, composed of non-repudiable information about the entity, such as its distinguishable name, email address, identity card number, telephone number, and street address.
3.6 key generation center (KGC)
trusted authority responsible for the selection of system parameters, generation of the signature master keys, and generation of users’ signature private keys (in this part).
4 Symbols
The following symbols apply to this part.
A, B: two users using the identity-based cryptographic system
cf: cofactor of the order of an elliptic curve relative to N
cid : curve identifier that indicates the type of elliptic curve, denoted by one byte, where 0x10 represents an ordinary curve (a non-supersingular curve) over Fp (the prime number p > 2191), 0x11 represents a supersingular curve over Fp , and 0x12 represents the ordinary curve and its twisted
curve over F
dsA: signature private key of the user A
e: a bilinear pairing from G1 × G2 to GT
eid : bilinear pairing identifier to distinguish the type of the bilinear pairing e , denoted by one byte, where 0x01 represents the Tate pairing, 0x02 represents the Weil pairing, 0x03 represents the Ate pairing, and 0x04 represents the R-Ate pairing
GT: a multiplicative cyclic group of prime order N
G1: an additive cyclic group of prime order N
G2: an additive cyclic group of prime order N
gu: g to the power of u, where g is an element in the multiplicative group GT and u is a positive integer, that is gu = g . g . … . g
一--一--一
Multiply u times
Hv ( ): a cryptographic hash function
H1( ), H2( ): cryptographic functions derived from the cryptographic hash function
hid: identifier of the signature private key generating function, denoted by one byte, selected and made
public by the KGC
(h, S): the sent signature
(h', S'): the received signature
IDA: the identity of the user A that uniquely determines the public key of A
M: the message to be signed M' : the message to be verified
mod n: the operation of modulo n, for example, 23 mod 7 = 2
